URLs Classified as Not-Resolved
Focus
Focus
Advanced URL Filtering

URLs Classified as Not-Resolved

Table of Contents

URLs Classified as Not-Resolved

Follow these steps to troubleshoot URLs classified as not-resolved. Not-resolved designation typically signals PAN-DB cloud connectivity issues.
Where can I use this?What do I need?
  • NGFW (Managed by PAN-OS or Panorama)
Note: Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.
URLs are classified as not-resolved if your firewall cannot connect to the PAN-DB URL filtering cloud service to perform lookups, or if PAN-DB takes too long to respond to URL queries. The cloud connection status and URL classification does not apply to expired subscription licenses or unlicensed users. For a detailed explanation of the URL categorization process, see How URL Filtering Works.
Use the following workflow to troubleshoot why some or all of the URLs being identified by PAN-DB are classified as Not-resolved:
  1. Check the PAN-DB cloud connection by running the show url-cloud status CLI command.
    The Cloud connection: field should show connected. If you see anything other than connected, then any URL that does not exist in the management plane cache will be categorized as not-resolved. To resolve this issue, see PAN-DB Cloud Connectivity Issues.
  2. If the cloud connection status shows connected, check the current utilization of the firewall.
    If firewall utilization is spiking, URL requests may be dropped (may not reach the management plane) and will be categorized as not-resolved.
    To view system resources, run the show system resources CLI command. Then, view the %CPU and %MEM columns.
    You can also view system resources on the System Resources widget on the Dashboard in the web interface.
  3. Consider increasing the Category lookup timeout (sec) value.
    Increasing the category lookup timeout value improves the likelihood that the URL category gets resolved and reduces the frequency of not-resolved URLs in logs.
    1. Select DeviceSetupContent-ID and edit the URL Filtering settings.
    2. Click OK and Commit your changes.
      You can also update the value using the set deviceconfig setting ctd url-wait-timeout CLI command.
  4. If the problem persists, contact Palo Alto Networks support.